Many networks storing web resources, such as web applications, web pages, or other content, include security management apparatus(es) that, among other functions, protect server devices storing the web resources from malicious attacks. One such type of attack is a remote access trojan (RAT) attack in which a RAT uses a client device infected with malware to hijack a user session via a web browser instance, which is most commonly a hidden web browser tab or window. By hijacking the user session, the RAT can steal user credentials or execute fraudulent transactions, for example.
In some types of RAT attacks, the malware on an infected client device is configured to establish a connection to a malicious device over a communication network, such as by virtual network computing (VNC), for example. The established connection allows a user of the malicious device to control the infected client device, including by generating hidden web browser instances and controlling a mouse or other input device.
In one particular example, the malware is configured to automatically establish a connection with a malicious device when the malware determines that a user has established a session with a bank web site. A user of the malicious device can then use the infected client device to instantiate a hidden web browser instance, hijack the session established by the user with the bank web site, and conduct fraudulent transactions using the hijacked session. Unfortunately, there is currently no effective way to detect RAT malware on client devices in order to mitigate RAT attacks.